diff options
| -rw-r--r-- | base/server/python/pki/server/__init__.py | 115 | ||||
| -rw-r--r-- | base/server/python/pki/server/ca.py | 92 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/ca.py | 206 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 383 | ||||
| -rw-r--r-- | base/server/python/pki/server/upgrade.py | 3 | ||||
| -rw-r--r-- | base/server/sbin/pki-server | 2 |
6 files changed, 720 insertions, 81 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 9777d221f..d00446567 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -20,7 +20,11 @@ # from lxml import etree +import getpass import grp +import io +import ldap +import operator import os import pwd import re @@ -31,7 +35,7 @@ import pki INSTANCE_BASE_DIR = '/var/lib/pki' REGISTRY_DIR = '/etc/sysconfig/pki' SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] - +SUBSYSTEM_CLASSES = {} class PKIServer(object): @@ -65,6 +69,7 @@ class PKISubsystem(object): self.base_dir = instance.base_dir self.conf_dir = os.path.join(self.base_dir, 'conf') + self.cs_conf = os.path.join(self.conf_dir, 'CS.cfg') self.context_xml_template = os.path.join( pki.SHARE_DIR, self.name, 'conf', 'Catalina', 'localhost', self.name + '.xml') @@ -72,9 +77,62 @@ class PKISubsystem(object): self.context_xml = os.path.join( instance.conf_dir, 'Catalina', 'localhost', self.name + '.xml') + self.config = {} + self.type = None + self.prefix = None + # custom subsystem location self.doc_base = os.path.join(self.base_dir, 'webapps', self.name) + def load(self): + self.config.clear() + + lines = open(self.cs_conf).read().splitlines() + + for line in lines: + parts = line.split('=', 1) + name = parts[0] + value = parts[1] + self.config[name] = value + + self.type = self.config['cs.type'] + self.prefix = self.type.lower() + + def find_subsystem_certs(self): + certs = [] + + cert_ids = self.config['%s.cert.list' % self.name].split(',') + for cert_id in cert_ids: + cert = self.create_subsystem_cert_object(cert_id) + certs.append(cert) + + return certs + + def get_subsystem_cert(self, cert_id): + return self.create_subsystem_cert_object(cert_id) + + def create_subsystem_cert_object(self, cert_id): + cert = {} + cert['id'] = cert_id + cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, cert_id), None) + cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, cert_id), None) + cert['data'] = self.config.get('%s.%s.cert' % (self.name, cert_id), None) + cert['request'] = self.config.get('%s.%s.certreq' % (self.name, cert_id), None) + return cert + + def update_subsystem_cert(self, cert): + cert_id = cert['id'] + self.config['%s.%s.nickname' % (self.name, cert_id)] = cert.get('nickname', None) + self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token', None) + self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data', None) + self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request', None) + + def save(self): + sorted_config = sorted(self.config.items(), key=operator.itemgetter(0)) + with io.open(self.cs_conf, 'wb') as f: + for (key, value) in sorted_config: + f.write('%s=%s\n' % (key, value)) + def is_valid(self): return os.path.exists(self.conf_dir) @@ -102,6 +160,21 @@ class PKISubsystem(object): def disable(self): self.instance.undeploy(self.name) + def open_database(self, name='internaldb'): + + hostname = self.config['%s.ldapconn.host' % name] + port = self.config['%s.ldapconn.port' % name] + bind_dn = self.config['%s.ldapauth.bindDN' % name] + + # TODO: add support for other authentication + # mechanisms (e.g. client cert authentication, LDAPI) + bind_password = self.instance.get_password(name) + + con = ldap.initialize('ldap://%s:%s' % (hostname, port)) + con.simple_bind_s(bind_dn, bind_password) + + return con + def __repr__(self): return str(self.instance) + '/' + self.name @@ -119,6 +192,9 @@ class PKIInstance(object): self.base_dir = os.path.join(pki.BASE_DIR, name) self.conf_dir = os.path.join(self.base_dir, 'conf') + self.password_conf = os.path.join(self.conf_dir, 'password.conf') + + self.nssdb_dir = os.path.join(self.base_dir, 'alias') self.lib_dir = os.path.join(self.base_dir, 'lib') self.registry_dir = os.path.join(pki.server.REGISTRY_DIR, 'tomcat', self.name) @@ -132,6 +208,8 @@ class PKIInstance(object): self.uid = None self.gid = None + self.passwords = {} + self.subsystems = [] def is_valid(self): @@ -153,6 +231,7 @@ class PKIInstance(object): return rc == 0 def load(self): + # load UID and GID with open(self.registry_file, 'r') as registry: lines = registry.readlines() @@ -168,11 +247,41 @@ class PKIInstance(object): self.group = m.group(1) self.gid = grp.getgrnam(self.group).gr_gid + # load passwords + self.passwords.clear() + lines = open(self.password_conf).read().splitlines() + + for line in lines: + parts = line.split('=', 1) + name = parts[0] + value = parts[1] + self.passwords[name] = value + + # load subsystems for subsystem_name in os.listdir(self.registry_dir): - if subsystem_name in pki.server.SUBSYSTEM_TYPES: - subsystem = PKISubsystem(self, subsystem_name) + if subsystem_name in SUBSYSTEM_TYPES: + if subsystem_name in SUBSYSTEM_CLASSES: + subsystem = SUBSYSTEM_CLASSES[subsystem_name](self) + else: + subsystem = PKISubsystem(self, subsystem_name) + subsystem.load() self.subsystems.append(subsystem) + def get_password(self, name): + if name in self.passwords: + return self.passwords[name] + + password = getpass.getpass(prompt='Enter password for %s: ' % name) + self.passwords[name] = password + + return password + + def get_subsystem(self, name): + for subsystem in self.subsystems: + if name == subsystem.name: + return subsystem + return None + def is_deployed(self, webapp_name): context_xml = os.path.join( self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py new file mode 100644 index 000000000..70ebf4dd1 --- /dev/null +++ b/base/server/python/pki/server/ca.py @@ -0,0 +1,92 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +import ldap +import ldap.filter + +import pki +import pki.server + + +class CASubsystem(pki.server.PKISubsystem): + + def __init__(self, instance): + super(CASubsystem, self).__init__(instance, 'ca') + + def find_cert_requests(self, cert=None): + + base_dn = self.config['internaldb.basedn'] + + if cert: + escaped_value = ldap.filter.escape_filter_chars(cert) + search_filter = '(extdata-req--005fissued--005fcert=%s)' % escaped_value + + else: + search_filter = '(objectClass=*)' + + con = self.open_database() + + entries = con.search_s( + 'ou=ca,ou=requests,%s' % base_dn, + ldap.SCOPE_ONELEVEL, + search_filter, + None) + + con.unbind_s() + + requests = [] + for entry in entries: + requests.append(self.create_request_object(entry)) + + return requests + + def get_cert_requests(self, request_id): + + base_dn = self.config['internaldb.basedn'] + + con = self.open_database() + + entries = con.search_s( + 'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn), + ldap.SCOPE_BASE, + '(objectClass=*)', + None) + + con.unbind_s() + + entry = entries[0] + return self.create_request_object(entry) + + def create_request_object(self, entry): + + attrs = entry[1] + + request = {} + request['id'] = attrs['cn'][0] + request['type'] = attrs['requestType'][0] + request['status'] = attrs['requestState'][0] + request['request'] = attrs['extdata-cert--005frequest'][0] + + return request + + +pki.server.SUBSYSTEM_CLASSES['ca'] = CASubsystem diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py new file mode 100644 index 000000000..2ad8652f4 --- /dev/null +++ b/base/server/python/pki/server/cli/ca.py @@ -0,0 +1,206 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import getopt +import io +import sys + +import pki.cli +import pki.server.ca + + +class CACLI(pki.cli.CLI): + + def __init__(self): + super(CACLI, self).__init__( + 'ca', 'CA management commands') + + self.add_module(CACertCLI()) + + +class CACertCLI(pki.cli.CLI): + + def __init__(self): + super(CACertCLI, self).__init__( + 'cert', 'CA certificates management commands') + + self.add_module(CACertRequestCLI()) + + +class CACertRequestCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestCLI, self).__init__( + 'request', 'CA certificate requests management commands') + + self.add_module(CACertRequestFindCLI()) + self.add_module(CACertRequestShowCLI()) + + @staticmethod + def print_request(request, details=False): + print(' Request ID: %s' % request['id']) + print(' Type: %s' % request['type']) + print(' Status: %s' % request['status']) + + if details: + print(' Request: %s' % request['request']) + + +class CACertRequestFindCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestFindCLI, self).__init__( + 'find', 'Find CA certificate requests') + + def usage(self): + print('Usage: pki-server ca-cert-request-find [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --cert Issued certificate.') + print(' --cert-file File containing issued certificate.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, _ = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'cert=', 'cert-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + cert = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--cert': + cert = a + + elif o == '--cert-file': + with io.open(a, 'rb') as f: + cert = f.read() + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + results = subsystem.find_cert_requests(cert=cert) + + self.print_message('%s entries matched' % len(results)) + + first = True + for request in results: + if first: + first = False + else: + print() + + CACertRequestCLI.print_request(request) + + +class CACertRequestShowCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestShowCLI, self).__init__( + 'show', 'Show CA certificate request') + + def usage(self): + print('Usage: pki-server ca-cert-request-show <request ID> [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, args = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'output-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing request ID') + self.usage() + sys.exit(1) + + request_id = args[0] + instance_name = 'pki-tomcat' + output_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--output-file': + output_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + request = subsystem.get_cert_requests(request_id) + + if output_file: + with io.open(output_file, 'wb') as f: + f.write(request['request']) + + else: + CACertRequestCLI.print_request(request, details=True) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 43eb564ee..fc89c2747 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -19,8 +19,12 @@ # All rights reserved. # +from __future__ import absolute_import +from __future__ import print_function +import base64 import getopt -import os +import nss.nss as nss +import string import sys import pki.cli @@ -38,11 +42,13 @@ class SubsystemCLI(pki.cli.CLI): self.add_module(SubsystemFindCLI()) self.add_module(SubsystemShowCLI()) + self.add_module(SubsystemCertCLI()) + @staticmethod def print_subsystem(subsystem): - print ' Subsystem ID: %s' % subsystem.name - print ' Instance ID: %s' % subsystem.instance.name - print ' Enabled: %s' % subsystem.is_enabled() + print(' Subsystem ID: %s' % subsystem.name) + print(' Instance ID: %s' % subsystem.instance.name) + print(' Enabled: %s' % subsystem.is_enabled()) class SubsystemFindCLI(pki.cli.CLI): @@ -51,12 +57,12 @@ class SubsystemFindCLI(pki.cli.CLI): super(SubsystemFindCLI, self).__init__('find', 'Find subsystems') def usage(self): - print 'Usage: pki-server subsystem-find [OPTIONS]' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-find [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, args): @@ -66,11 +72,11 @@ class SubsystemFindCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -84,32 +90,17 @@ class SubsystemFindCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - results = [] - - for name in os.listdir(instance.base_dir): - - subsystem = pki.server.PKISubsystem(instance, name) - if not subsystem.is_valid(): - continue - - results.append(subsystem) - - self.print_message('%s entries matched' % len(results)) + self.print_message('%s entries matched' % len(instance.subsystems)) first = True - for subsystem in results: + for subsystem in instance.subsystems: if first: first = False else: @@ -124,12 +115,12 @@ class SubsystemShowCLI(pki.cli.CLI): super(SubsystemShowCLI, self).__init__('show', 'Show subsystem') def usage(self): - print 'Usage: pki-server subsystem-show [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-show [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -139,17 +130,17 @@ class SubsystemShowCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -163,19 +154,14 @@ class SubsystemShowCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) SubsystemCLI.print_subsystem(subsystem) @@ -186,12 +172,12 @@ class SubsystemEnableCLI(pki.cli.CLI): super(SubsystemEnableCLI, self).__init__('enable', 'Enable subsystem') def usage(self): - print 'Usage: pki-server subsystem-enable [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-enable [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -201,17 +187,17 @@ class SubsystemEnableCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -225,19 +211,14 @@ class SubsystemEnableCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.enable() self.print_message('Enabled "%s" subsystem' % subsystem_name) @@ -251,12 +232,12 @@ class SubsystemDisableCLI(pki.cli.CLI): super(SubsystemDisableCLI, self).__init__('disable', 'Disable subsystem') def usage(self): - print 'Usage: pki-server subsystem-disable [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-disable [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -266,17 +247,17 @@ class SubsystemDisableCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -290,21 +271,267 @@ class SubsystemDisableCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.disable() self.print_message('Disabled "%s" subsystem' % subsystem_name) SubsystemCLI.print_subsystem(subsystem) + + +class SubsystemCertCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertCLI, self).__init__( + 'cert', 'Subsystem certificate management commands') + + self.add_module(SubsystemCertFindCLI()) + self.add_module(SubsystemCertShowCLI()) + self.add_module(SubsystemCertUpdateCLI()) + + @staticmethod + def print_subsystem_cert(cert): + print(' Cert ID: %s' % cert['id']) + print(' Nickname: %s' % cert['nickname']) + print(' Token: %s' % cert['token']) + print(' Certificate: %s' % cert['data']) + print(' Request: %s' % cert['request']) + + +class SubsystemCertFindCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertFindCLI, self).__init__( + 'find', 'Find subsystem certificates') + + def usage(self): + print('Usage: pki-server subsystem-cert-find [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + results = subsystem.find_subsystem_certs() + + self.print_message('%s entries matched' % len(results)) + + first = True + for cert in results: + if first: + first = False + else: + print() + + SubsystemCertCLI.print_subsystem_cert(cert) + + +class SubsystemCertShowCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertShowCLI, self).__init__( + 'show', 'Show subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-show [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) + + +class SubsystemCertUpdateCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertUpdateCLI, self).__init__( + 'update', 'Update subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-update [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + # get cert data from NSS database + nss.nss_init(instance.nssdb_dir) + nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) + data = base64.b64encode(nss_cert.der_data) + del nss_cert + nss.nss_shutdown() + subsystem_cert['data'] = data + + # format cert data for LDAP database + lines = [data[i:i+64] for i in range(0, len(data), 64)] + data = string.join(lines, '\r\n') + '\r\n' + + # get cert request from local CA + # TODO: add support for remote CA + ca = instance.get_subsystem('ca') + results = ca.find_cert_requests(cert=data) + cert_request = results[-1] + request = cert_request['request'] + + # format cert request for CS.cfg + lines = request.splitlines() + if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] + request = string.join(lines, '') + subsystem_cert['request'] = request + + # store cert data and request in CS.cfg + subsystem.update_subsystem_cert(subsystem_cert) + subsystem.save() + + self.print_message('Updated "%s" subsystem certificate' % cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py index c9426a07c..f82ffe670 100644 --- a/base/server/python/pki/server/upgrade.py +++ b/base/server/python/pki/server/upgrade.py @@ -220,6 +220,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): if self.subsystemName: subsystem = pki.server.PKISubsystem(instance, self.subsystemName) subsystem.validate() + subsystem.load() return [subsystem] subsystem_list = [] @@ -232,6 +233,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): if subsystemName in pki.server.SUBSYSTEM_TYPES: subsystem = pki.server.PKISubsystem(instance, subsystemName) subsystem.validate() + subsystem.load() subsystem_list.append(subsystem) else: for subsystemName in pki.server.SUBSYSTEM_TYPES: @@ -242,6 +244,7 @@ class PKIServerUpgrader(pki.upgrade.PKIUpgrader): if os.path.exists(registry_dir): subsystem = pki.server.PKISubsystem(instance, subsystemName) subsystem.validate() + subsystem.load() subsystem_list.append(subsystem) subsystem_list.sort() diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server index 627a4765e..cdfd98ee1 100644 --- a/base/server/sbin/pki-server +++ b/base/server/sbin/pki-server @@ -23,6 +23,7 @@ import getopt import sys import pki.cli +import pki.server.cli.ca import pki.server.cli.instance import pki.server.cli.subsystem import pki.server.cli.migrate @@ -35,6 +36,7 @@ class PKIServerCLI(pki.cli.CLI): super(PKIServerCLI, self).__init__('pki-server', 'PKI server command-line interface') + self.add_module(pki.server.cli.ca.CACLI()) self.add_module(pki.server.cli.instance.InstanceCLI()) self.add_module(pki.server.cli.subsystem.SubsystemCLI()) self.add_module(pki.server.cli.migrate.MigrateCLI()) |